topic Re: Web AS ABAP, Logon via HTTPS Help in Application Development and Automation Discussions

Web AS ABAP, Logon via HTTPS Help

Former Member — Mon, 05 Feb 2007 16:35:25 GMT

I'd like to secure the user authentification of a BSP/BW application and only the user authentification.

I have setup SSL on a Web AS ABAP server (Netweaver 04s) as described in several articles/sap notes/ weblogs ...

I have used System Logon and enable Logon via HTTPS.

Everything seems to work except that in Firefox displays a warning message saying that the login page is encrypted but the data is transmitted "in clear". Does it mean that I actually did not encrypt the user/pass this way ? What is the way to achieve this goal ?

Thanks for your help

Re: Web AS ABAP, Logon via HTTPS Help

Wolfgang_Janzen — Mon, 05 Feb 2007 17:21:37 GMT

I would interpret this alert in the same way as you.

To clarify the issue I'd suggest to take a look into the (HTLM) source code of the logon page. Lookup for the "POST" statement - it should use "https" and not "http".

Regards, Wolfgang

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Mon, 05 Feb 2007 18:45:27 GMT

Are you going through a proxy or web dispatcher first? You will have to do SSL for them too.

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Mon, 05 Feb 2007 22:49:05 GMT

No proxy, no web dispatcher for the moment although the latter will become a part of the problem to be solved.

The Login page source code is generated by System Logon option (SICF - Create / Change Service/ Error Pages/System Logon) and I cannot change it manually.

I have used System Logon because it seems to be recommended by SAP from Netweaver 04 SP1 (SAP Security Guide) as more flexible than the basic authentification mechanism.

The problem I have is pretty basic and several web sites use HTTPS for authentification only (Yahoo Mail for example).

The question is : what is the right way to do it for a SAP BSP Application ?

Thank you

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Tue, 06 Feb 2007 07:39:00 GMT

Hi Serge,

this can have a couple of reasons. Could you please post the exact text of the message ? If there are pictures in the page, they may be included using HTTP. On the other hand, as Wolfgang mentioned, the post operation may use HTTP instead of HTTPS, which can be checked by looking at the HTML source. If it reads:

<form action="https://...." ...>

everything is ok. If it reads

<form action="something URI" ...>

it is depedning on the initial URL (you said, this was https) or a

<base href="...">

statement. As I haven't seen any base statments in BSP so far, I would guess this would be ok as well (BTW: this is the way it is handled in the system I just looked at).

However it it reads

<form action="http://..." ...>

the logon data would be transmitted in plaintext.

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Tue, 06 Feb 2007 08:31:14 GMT

Patrick,

The application is an example BSP application I use for testing purposes.

it is IT00 under /default_host/sap/bc/bsp/sap/it00 (SICF). My server is a Netweaver 04s ABAP Web AS.

The test is very easy to do if you have first configured SSL on your server as described here : /people/gregor.wolf3/blog/2005/10/11/setup-https-ssl-for-the-sneak-preview-sap-netweaver-04-abap-edition-on-windows)

1) Go to "Error Pages" Tab

2) Edit. Select System Logon. Press Configuration.

3) Define Service specific Settings

4) Select the options needed. In my case I have selected "Logon via HTTPS".

System Logon replaces Basic Authentification and has many options. You can even customize the look of the resulting page (see /people/sergio.ferrari2/blog/2007/04/06/bsphowto--customizing-the-design-of-system-logon-page-in-netweaver-04)

I thought it would allow to authenticate a user using HTTPS but I may have missed something here. So my question is still : Is there a SIMPLE way to use HTTPS only for user authentification in a BSP application without coding your own login page ?

Thank you.

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Tue, 06 Feb 2007 08:54:32 GMT

Hi Serge,

what I did refer to was the following question from you:

Everything seems to work except that in Firefox displays a warning message saying that the login page is encrypted but the data is transmitted "in clear". Does it mean that I actually did not encrypt the user/pass this way ? What is the way to achieve this goal ?

Setting the option 'Logon via HTTPS' should transmit the logon data encrypted, if HTTPS is configured correctly. As per the error message, I would say, this is the case.

Regards,

Patrick

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Tue, 06 Feb 2007 09:18:18 GMT

Patrick

Sorry. Here is the error message issued by Firefox is :

"Although the (logon) page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party. Are you sure you want to continue sending this information?"

I still have doubts. What do you think ?

Above all, I don't know this settings are available in Netweaver 04. My test servers are 04s only.

If HTTPS was not configured correctly, I think I won't even have the chance to see the login page displayed on my browser.

Best Regards

Serge

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Tue, 06 Feb 2007 09:33:38 GMT

Hi Serge,

please tell me the following:

- what is the URL in addres bar of firefox

- rightclick into the page and select 'View Page Source'

search for '<form' and tell me what is behind 'action='

Thanks,

kind regards,

Patrick

please award points to the person(s) that helped solving your question and tell us what the solution was.

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Tue, 06 Feb 2007 09:41:20 GMT

Hi Patrick

Address : https://pcyydsdv.pcy.edfgdf.fr/sap/bc/bsp/sap/it00/default.htm?sap-sessioncmd=open

Source code

Sorry it's quite long.

Regards

Serge

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Tue, 06 Feb 2007 09:53:32 GMT

according to this info, the post should be made over SSL, because:

the Webpage is called using https:

https://pcyydsdv.pcy.edfgdf.fr/.

the form used is at /sap/bc/bsp/sap/it00/...

the Browser should combine this to

https://pcyydsdv.pcy.edfgdf.fr/sap/bc/bsp/sap/it00/.

this is at least, what the standards say.

If you are still in doubt, you may use <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/12/adc54044ed7b2de10000000a155106/frameset.htm">ICF Recorder</a> to look at the incoming requests or you can use the <a href="https://addons.mozilla.org/firefox/966/">Tamper Data</a> tool for firefox.

At the moment i have no clue why firefox makes that statement. To my understanding, it should not.

Kind regards,

Patrick

please award points to the person(s) that helped solving your question and tell us what the solution was.

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Tue, 06 Feb 2007 15:25:29 GMT

Hi Serge,

just double checked here on a NW2004s system. The post runs over https.

Regards,

Patrick

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Wed, 07 Feb 2007 23:01:25 GMT

Thanks again Patrick for your assistance.

I still don't know how to get rid of this warning which I don't have when using Internet Explorer.

Did you get the same warning with Firefox when using System Logon and the "Logon via HTTPS" option ? What application did you use for testing ?

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Thu, 08 Feb 2007 07:30:04 GMT

Hi Serge,

I did use the it00 example app and Mozilla 2.0.

There was no pop up in my case.

kind regards,

Patrick

please award points to the person(s) that helped solving your question and tell us what the solution was.

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Thu, 08 Feb 2007 08:50:16 GMT

Patrick,

I'd like to close this thread but on my side the problem is not solved yet. I don't know what I did wrong.

Again here is a list of the things I've done to allow user authentification through HTTPS on Web AS ABAP :

1) Configure SSL on the server :

a) Install SAP Cryptolib

b) Create SSL Server PSE (STRUST)

c) Send a certificate request to SAP (http://service.sap.com/ssltest)

d) Import the certificate response

e) Add the certificate to the certificate list

2) Configure ICM for HTTPS support (RZ10)

ssl/ssl_lib=/usr/sap/<sid>SYS/exe/run/libsapcrypto.o

sec/libsapsecu=/usr/sap/<sid>SYS/exe/run/libsapcrypto.o

ssf/ssfapi_lib=/usr/sap/<sid>SYS/exe/run/libsapcrypto.o

ssf/name = SAPSECULIB

icm/server_port_<xx> = PROT=HTTPS, PORT=1443

3) Verify the activation of HTTPS

SMICM -> Goto -> Services

4) Configure the IT00 application (SICF)

a) Logon Data

Procedure = Standard

Use All Logon procedures not checked

Security requirements = standard

Authentification = standard SAP user

b) Error Pages

System Logon -> Configuration

Define Service-specific settings

Actions during Logon : Logon via HTTPS

Thank you

Kind regards

Serge

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Thu, 08 Feb 2007 09:01:21 GMT

Hi Serge,

that's the same I did, except that I did use port 443 instead of 1443. What Mozila did you use ? I'm still on 1.5.0.9.

regards,

Patrick

please award points to the person(s) that helped solving your question and tell us what the solution was.

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Thu, 08 Feb 2007 10:10:34 GMT

Patrick

I've uninstalled Firefox 2.0 and installed 1.5.0.9. I still have the same issue

I even use port 443 instead of 1443. It makes me crazy

Here is a copy of my ICM parameters (SMICM -> Goto -> Parameters -> Display)

ICM Parameter

Services

icm/server_port_0 = PROT=HTTP,PORT=80,EXTBIND=1

icm/server_port_1 = PROT=SMTP,PORT=0

icm/server_port_2 = PROT=HTTPS,PORT=443,EXTBIND=1

Hard limits

icm/max_services = 30

icm/listen_queue_len = 512

icm/req_queue_len = 500

icm/max_conn = 500

icm/max_sockets = 2048

Thread handling

icm/min_threads = 10

icm/max_threads = 50

icm/min_spare_threads = 3

Tracing and statistic

rdisp/TRACE = 1

icm/tracefile = dev_icm

icm/log_level = 0

icm/stat_level = 1

icm/security_log = LOGFILE=dev_icm_sec,MAXSIZEKB=500

icm/accept_remote_trace_level = 0

Monitoring

icm/ccms_monitoring = 1

icm/ccms_refresh_rate (sec.) = 30

Timeout handling

icm/keep_alive_timeout (sec.) = 60

icm/conn_timeout (msec.) = 5000

HTTP settings

icm/HTTP/max_request_size_KB = 102400

icm/HTTP/j2ee_0 = PREFIX=/,HOST=localhost,CONN=0-10,PORT=50000,

SPORT=50003

icm/HTTP/server_cache_0 = PREFIX=/, CACHEDIR=/usr/sap/ZT3/DVEBMGS00/dat

a/cache

icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=/usr/sap/ZT3/DVEBMG

S00/data/icmanroot/admin,AUTHFILE=/usr/sap/ZT3/SYS

icm/HTTP/auth_0 = PREFIX=/,FILTER=SAP

HTTP(S) error handling

is/HTTP/show_detailed_errors = 1

HTTPS (SSL) settings

icm/HTTPS/verify_client = 1

ssf/name = SAPSECULIB

ssf/ssfapi_lib = /usr/sap/ZT3/SYS/exe/run/libsapcrypto.o

sec/libsapsecu = /usr/sap/ZT3/SYS/exe/run/libsapcrypto.o

ssl/ssl_lib = /usr/sap/ZT3/SYS/exe/run/libsapcrypto.o

Context Quotas

icm/HTTP/context_quota = 90%

icm/HTTPS/context_quota = 90%

icm/SMTP/context_quota = 90%

Memory Pipe settings

mpi/total_size_MB = 80

mpi/buffer_size = 65536

J2EE settings

rdisp/j2ee_start = 0

is/HTTP/default_root_hdl = J2EE

Content Filter settings

csi/enable = TRUE

csi/SAP/csa_lib = /usr/sap/ZT3/SYS/exe/run/libsapcsa.o

Misc

icm/host_name_full = pcyydsdv.pcy.edfgdf.fr

icm/cancel_strategy = cancel requests without session (stateless)

rdisp/plugin_auto_logout = 1800

is/HTTP/virt_host_0 = :;

is/SMTP/virt_host_0 = :;

I might give up but it will be a pity cause I'm close.

Thank you.

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Thu, 08 Feb 2007 10:33:02 GMT

I do not have the SMTP port open, but this is the only real difference (and I have some doubts, that this could be the reason).

Did you do a http trace or did you use tamper data to check what is happening ?

Regards,

Patrick

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Thu, 08 Feb 2007 12:06:10 GMT

Patrick,

Here is a Tamper log of the request to IT00 :

12:55:37.826[291ms][total 301ms] Status: 200[OK]

POST https://pcyydsdv.pcy.edfgdf.fr/sap/bc/bsp/sap/it00/default.htm?sap-sessioncmd=open Load Flags[INHIBIT_PERSISTENT_CACHING LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[765] Mime Type[text/html]

Request Headers:

Host[pcyydsdv.pcy.edfgdf.fr]

User-Agent[Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9]

Accept[text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5]

Accept-Language[en-us,en;q=0.5]

Accept-Encoding[gzip,deflate]

Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7]

Keep-Alive[300]

Connection[keep-alive]

Referer[https://pcyydsdv.pcy.edfgdf.fr/sap/bc/bsp/sap/it00/default.htm?sap-sessioncmd=open]

Cookie[sap-usercontext=sap-language=FR&sap-client=100]

Post Data:

sap-system-login-oninputprocessing[onLogin]

sap-urlscheme[http]

sap-system-login[onLogin]

sap-system-login-basic_auth[]

sap-client[100]

sap-accessibility[]

sap-system-login-cookie_disabled[]

sap-user[smadja]

sap-password[...]

sap-language[FR]

Response Headers:

Set-Cookie[MYSAPSSO2=AjExMDABAAxTTUFESkEgICAgICACAAMxMDADAAhaVDMgICAgIAQADDIwMDcwMjA4MTIwMgUABAAAAAgGAAFYCQABRgoADFNNQURKQSAgICAgIAsAA1pUMwwACFpUMyAgICAgDQAMMjAwNzAyMDgxMjAyDgAA%2fwKBMIICfQYJKoZIhvcNAQcCoIICbjCCAmoCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCAYYwggGCMIIBQgIBADAJBgcqhkjOOAQDMA4xDDAKBgNVBAMTA1pUMzAeFw05NzEwMDEwMDAwMDBaFw0zODAxMDEwMDAwMDBaMA4xDDAKBgNVBAMTA1pUMzCB8TCBqAYHKoZIzjgEATCBnAJBAP%2f5NHN2y2abI%21kKFJStt%21ZEUcTVOz91DY6%21eP3H0syn75MU7%2fqAbsBCTKZl7Egcf9xoS0sZ0nO37pSoeTVNzwUCFQCK8B09W%21NPS6CUPRz0v0MMAG81qwJAa1Fw%21e9ZrQ2zGkzF%2flsfRO8IcNG4kLa23nP%2fxjsJOzLHRXc93ZMIp6gcmAQ0AbNSRtgA%21feqlnlr1Rf7%21ktvXANEAAJBAJ3dxO1lgagSp12ZLJvYfszkIwNsm8anwfwNZeLHgDguNzYJG797eqHRZ3BFMKnuTtb%21OI0SCLSPz%21KZaEhM0AkwCQYHKoZIzjgEAwMvADAsAhQfFOuI0mDltQeTVlaaYqYexUEEcAIUOVkFxWKzDOH1NhMn4aAAaYZxhhUxgcAwgb0CAQEwEzAOMQwwCgYDVQQDEwNaVDMCAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA3MDIwODEyMDIwMFowIwYJKoZIhvcNAQkEMRYEFNlsFxxVr5jBe2ONBmgbX5bNiDuYMAkGByqGSM44BAMELjAsAhQX56F7K04d8XHb6yAvAtOSdenzNwIUXJY1UzvsP4hvfE3vmPzqqEqGSr0%3d; path=/; domain=.pcy.edfgdf.fr]

Content-Type[text/html; charset=iso-8859-1]

Content-Length[765]

Pragma[no-cache]

Cache-Control[no-cache]

Server[SAP Web Application Server (1.0;700)]

Shouldn't be the sap-urlscheme parameter set to https ?

Thank you.

Kind regards

Serge

Re: Web AS ABAP, Logon via HTTPS Help

Former Member — Thu, 08 Feb 2007 12:19:26 GMT

the post is done via HTTPS (so this data is secure).

The sap-urlscheme is HTTP as you requested only the logon to be HTTPS, not the subsequent pages.

Does firefox already bring his pop up now or only later ?

Regards,

Patrick